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Abstract 

Elliptic curves over finite fields with predefined conditions in the order are practically constructed using 
■ the theory of complex multiplication. The stage with longest calculations in this method reconstructs some 

polynomial with integer coefficients. We will prove theoretical results and give a detailed account of the 
method itself and how one can use a divisor of the mentioned polynomial with coefficients in some extension 
fNj ' of the field of rational numbers. 

1 Introduction 

O 

Elliptic curves play an important role in a variety of different applications. For example, elliptic curves form a 
basis for some public-key cryptosystems [TJH], primality tests [3] and factorization [3] of rational integers. The 
applications use elliptic curves over finite fields with the order satisfying several restrictions. For instance, for 
cryptographical applications the order should be a prime number or, at least, should have a large prime divisor. 
One of methods for constructing elliptic curves with predefined restrictions on the order is the following. 
| First, we generate an equation of an elliptic curve with random coefficients. Next, we calculate the order of 
the generated curve and check whether the order satisfies the predefined conditions. If so, the construction is 
done; otherwise, we repeat the process from the beginning. Possible values for arising orders are distributed 
approximately uniformly (the precise statement for prime fields with characteristic greater than 3 can be found 
in The calculation of order of an elliptic curve has a polynomial complexity. However, in practice the 

complexity grows quite fast, so this method is quite slow. 

The complex multiplication gives another, more practical method for constructing elliptic curves with pre- 
defined restrictions on the order. This article is devoted to the complex multiplication method. Here we start 
with calculating an order satisfying the predefined conditions and then construct an elliptic curve with this 
order. Section [5] describes the details and some known optimizations. 

We suggest a new optimization for calculations. Further theoretical results, used by this optimization, are 
proved in Sections [3] and [4] We describe the overall approach in Section [5] and the details in next sections. 
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2 The CM method 

2.1 Theoretical basis 

Hereafter we always assume that D <E Z satisfies the following condition: 

D < and either D = (mod 4) or D = 1 (mod 4). (1) 
Consider the field K = Q(y/~D). Let d be the discriminant of K. Then d < and 

• either 

d = 1 (mod 4) and d is square-free, (2) 

• or d d 

d = (mod 4), —is square- free, 7^1 (mod 4). (3) 
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In addition, D = f 2 d, where / G N. Let O = Z 



d+Vd 
2 



be the ring of algebraic integers in the field K. Let 



O d =Z 
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be the order in O with conductor /. For any number field M we denote the ring of integers 



for M by O m ; e.g. O k = O. 
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We define a fractional ideal of the order Od as a subset of K which is a finitely generated 0d -module 
and contains a nonzero element. We define an ideal of Od as a fractional ideal which is a subset of Od (this 
is the same as the standard definition of ring ideal except for {0}, which is not considered). We define a 
proper (fractional) ideal of the order Od as a (fractional) ideal o such that {/3 € K : j3a C ft} = Od- All 
proper fractional ideals of an order form an abelian group under the multiplication of ideals (0 §7]). We 
denote this group by I{Od)- It is easy to see that principal fractional ideals, i.e. ciOd with a £ K* , form a 
subgroup in I(Od)- We denote this subgroup by P(Od)- Two ideals o and b are equivalent when they differ 
by multiplication by a principal ideal. It is easy to see that this relation is an equivalence relation; we denote 
it by a ^ b. For the sake of brevity we call a class of equivalent proper fractional ideals an ideal class. Since 
P(Od) is a subgroup, all ideal classes form a factorgroup Hd = I(Od)/P(Od)- It is called the ideal class group 
of Od- The ideal class group is a finite abelian group (0 §7]). Since Od and K are invariant under complex 
conjugation, the conjugation of a fractional ideal as a set is itself a fractional ideal; the complex conjugation 
induces a well-defined operation ouHd- 

We define a quadratic form as an expression of the form Ax 2 + Bxy + Cy 2 , where A,B,C £ Z. We also 
use (A, B, C) as another notation for the same quadratic form. We define a discriminant of the quadratic 
form as B 2 — 4AC. Two forms are equivalent if one can be transformed to another using change of variables 
x' — ax + by, y' = cx + dy with a,b,c,d £ Z, ad — be = 1; it is easy to see that this is indeed an equivalence 
relation. The quadratic form (A, B, C) is positive definite if A > and B 2 — AAC < 0; it is primitive if 
gcd(A, B,C) — 1. Hereafter we consider only primitive positive definite forms of the discriminant D, calling 
them just forms for the sake of brevity. We define the root of the form as the (only) root r of the equation 
At 2 + Bt + C = from the upper half-plane H = {z £ C : Imz > 0}, i.e. r = ~ B +/° £ A'fll. The form 
(A, B, C) is reduced when \B\ < A < C and if B < 0, then \B\ < A < C. Every form is equivalent to exactly 
one reduced form (0 Theorem 2.8]). 

There is one-to-one correspondence between elements of the group Hd and reduced forms. We denote this 
correspondence by t). Namely (0 Theorem 7.7]), a form £ = (A, B, C) with the root r corresponds to a class 
^(£) — §(A,B,C) °f Co-ideals containing (l,r)z (which is a proper fractional O^-ideal), and two equivalent 
forms correspond to the same ideal class. 

It is easy to enumerate all reduced forms: obviously, such a form has \B\ < A < \J ^ and for fixed A, B 
there exists at most one C. So reduced forms give a convenient way to organize elements of %d- 

The classical j-invariant is the function from the upper half-plane H to C ( 6 , §46]). It can be also defined on 
lattices in C ([5, §10]) so that it does not change when a lattice is multiplied by any nonzero complex number 
and j(r) = r)z) for r £ EL Any proper fractional 0£>-ideal o is also a lattice in C. Obviously, j(a) depends 
only on the ideal class of a. From the computational point of view, if the fractional ideal a belongs to the ideal 
class corresponding to the form Ax 2 + Bxy + Cy 2 with the root r (i.e. a ~ (1, r)z), then j(o) = j(r). 

For any elliptic curve and n £ Z we define the map [n] which maps a point P to nP. In particular, [1] is the 
identity map. We define a isogeny of two elliptic curves as a morphism (in the sense of algebraic geometry) which 
maps the infinite point of the first curve to the infinite point of the second curve. We define an endomorphism 
of an elliptic curve as an isogeny of the curve to itself. For any n £ Z and any elliptic curve the map [n] is an 
endomorphism ([71 Example III.4.1]) and commutes with any other endomorphism (because any isogeny is a 
homomorphism of groups of points due to [7j Example III.4.8]); the ring of endomorphisms of any elliptic curve 
is a Z-module with an action nip = [n] o ip, where n £ Z, tp is an endomorphism. Endomorphisms {[n] : n £ Z} 
form the ring isomorphic to Z ([7, Proposition III. 4. 2]). 

The ring of endomorphisms of an elliptic curve over C is either equal to {[n] : n £ Z} or isomorphic to an 
order in some imaginary quadratic field (0 Corollary III. 9. 4 and Exercise 3.18b]). In the last case the curve 
is said to have complex multiplication by this order. There exists exactly \Hd\ nonisomorphic elliptic curves 
with complex multiplication by Od ([3 Proposition C.ll.l]). These curves can be characterized as follows: the 
j-invariant of a curve equals one of values of modular j-invariant in an ideal representing an ideal class for Od- 
These values are called singular values (of the function j). Any singular value generates over K the same field 
L = L(D) = K(j(a)), which is called the ring class field for Od ([3 Theorem 11.1]). The Galois group of the 
extension L/K is isomorphic to Hd (0 §9]). We denote the canonical isomorphism by J7; maps an ideal class 
containing b to the automorphism mapping j(a) to j(ab^ 1 ) (0 Corollary 11.37]). The complex conjugation 
acts as follows: j(a) = j(a) by the definition of j (0 §10]), ao ~ Od (0 (7-6)]), therefore, j(a) = j(a -1 )- 

Let us consider the polynomial Hd[]]{x) — W.i—\{x — j(c*i)), where h = \T-Ld\ and cti represent all ideal 
classes oi Od- The coefficients of Hd are elements of L, are invariant under the action of Gal(L/isT) and 
complex conjugation, therefore, they lie in Q. Moreover, the values j(cti) are algebraic integers (0 Theorem 
ll.l}), so H D []]{x) £Z[x]. 

Let p be a prime number, n a natural number, q — p n . Let E be an elliptic curve defined over the finite field 
F q . Unless explicitly specified, we consider F g -points and F 9 -endomorphisms of the curve E. The order of the 
curve is the number of F g -points. The ring of endomorphisms End(£?) is isomorphic either to an order in some 
imaginary quadratic field or to an order in some quaternion algebra over Q ([7J Corollary III. 9. 4 and Theorem 
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V.3.1]). In the last case the curve E is called super singular^ and we are not interested in these. In the first case 
End(i?) = On for some D satisfying ([TJ; End(E) = ([l],a)z, where a is some endomorphism of E. It appears 
([5J Theorem 13.14]) that the curve and one endomorphism a can be "lifted" to C in the following sense: there 
exists a number field L', an elliptic curve E' defined over L', an endomorphism a' of E', an ideal 93' C Ol' lying 
above p (i.e. 5B'flZ = pZ) and a reduction of E' modulo 23' so that the reduced curve is isomorphic to E and 
a' corresponds to a under the reduction. Since a £ {[n] : n € Z}, we have a' £ {[n] : n 6 Z}, so End(-E') ^ Z 
and E' has a complex multiplication by some order in some imaginary quadratic field. Due to properties of 
reduction ([8] Theorem 13.12]), it induces an isomorphism of End(-E') to a subring in End(E'). Since a' reduces 
to a, we have End(-E') = End(£) = O d . 

The ring End(-E) contains a Frobenius isogeny Fr : (x,y) (x q ,y q ) and the dual isogeny Fr. We have 
FroFr= [q] ([3 Theorem III. 6. 2 and Proposition 2.11]) and [|-E(F 9 )|] = [| Ker([l] -Fr)\] = ([1] -Fr)o ([1] -Fr) 
(the first equality follows from the fact that Fr fixes F g -points and only them; the second equality follows from 
[JJ Theorem III. 4. 10, Corollary III. 5. 5, Theorem III. 6. 2]). Let tt £ Od — End(-E) be the element corresponding 
to Fr and W be the element corresponding to Fr. Then tttt = q and (1 — 7r)(l — W) = \E(¥ q )\. In particular, 
if 7T ^ R, these equations jmply that 7f is indeed a complex conjugate to tt; otherwise, tt G R PI Od = Z, so 
Fr — [tt] and in this case Fr — Fr ( 7, Theorem III. 6. 2]), hence W is equal to complex conjugate to tt too. 

Since tt eO D , there exist u, v e Z such that tt = "+^ . Then tt = and g = tttF = r 

4q = u 2 + \D\v 2 . 

The order ofE'is 1 — 7r — 7F + 7r?f = g + 1 — it. Due to [71 Exercise 5.10] the non-supersingularity of E implies 
gcd(g,w) = 1. 

Let us sum up the above. If E is a non-supersingular elliptic curve over F g , then there exist an integer D, 
a number field L 1 and an elliptic curve E 1 over L 1 such that 

• E' has a complex multiplication by Od , 

• there exists a reduction of E' isomorphic to E, 

• the order of E is q + 1 — u, where u € Z is such that for some I? € Z the equality 4q — u 2 + \D\v 2 holds. 



2.2 Basic algorithm 

We want to go in the other direction and construct such curves E. In order to do this, we implement the 
following scheme. 

1. Select the numbers q = p n , p is a prime, and ii,v,D € Z such that D satisfies ([T|), 

4q = u 2 + \D\v 2 , (4) 

gcd(u,g) = l, (5) 

and the field size q and the order of a future curve q + 1 — u satisfy the predefined restrictions required 
by concrete applications. 

2. Calculate the polynomial HD[j](x). 

3. Reduce the polynomial Hd\j\(x) modulo p. Obtain the polynomial over F p c F g ; this polynomial (as 
we will show) splits into linear factors in F g . Calculate any root of this polynomial. Generate an elliptic 
curve E" over F 9 such that its j-invariant equals the found root. 

4. The curve E" has complex multiplication by Od- An isomorphism does not change the ring of complex 
multiplication, but can change the number of F 9 -points. Construct the curve isomorphic to E" with the 
order q + 1 — u. 

We define the Kronecker symbol (#), where a € Z, b € N, as follows. If b is an odd prime, the Kronecker symbol 
equals the Legendre symbol. If b = 2, the Kronecker symbol is defined only for a = 0, 1 (mod 4) and equals 




1, if a = 1 (mod 8), 
— 1, if a = 5 (mod 8), 
0, ifa = (mod 4). 



In the general case the Kronecker symbol is defined as being multiplicative in b. 

The conditions (j4|) and ([5]) impose quite strong restrictions on q and p. In particular, the following lemma 
holds. 
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Lemma 1. Let d < satisfy one of conditions (U) or @, D = df 2 . Assume that q — p n and some integers u, 
v satisfy the conditions 

4q = u 2 + \D\v 2 , gcd(g, u) = 1. 

Then 



1. 



") = (- 

P J \P 



= i; (6) 



2- P \f; 

3. pO = pp, where p ^ p are prime ideals of O; 
5. 



^Rq = p» or U + V ^Q 



Proof. The equality 4q — u 2 + \ D\v 2 and the condition p \ u imply that p j D and p \ v. Reducing modulo p, we 
obtain u 2 — Dv 2 = (mod p), so D = (iro -1 ) 2 (mod p). To conclude the proof of the first assertion, it remains 
to note that D = df 2 . 

The second assertion follows obviously from p \ D. 

The third assertion follows from the first one due to the well-known fact from the theory of quadratic fields 
(e.g. [SJ Propositions 13.1.3 and 13.1.4]). 

To prove the fourth assertion, we reduce the equality 4q = u 2 + \D\v 2 modulo 2. If D is even, then u 



is even, Od = Z 



d+Vd 

2 



= z 



ID 
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and u+v /° = f + v^f e O d . If D is odd, then u = v (mod 2), 



o D =z 


2 


= z 


2 


Finally, note that 





and «±^c = + v i+^D e 



D ■ 



u ± WD (D u-v^D_ q = q(D= pn(D = pn _„ 

Since p \u, we have pp = pO \ The last assertion follows from the uniqueness of the factorization to 

prime ideals in O. □ 

Now we discuss some implementation details of the generic scheme. 

The implementation of the first stage depends on restrictions for the field size q and the curve order. 

If q is fixed, scan over integers D satisfying ((T]). For every D, first check the necessary condition ((5]); if it 
does not hold, continue to the next D. Assume that D satisfies (J6j> . Apply the Cornacchia algorithm ([10]) that 
solves the equation x 2 + \D\y 2 = m, to m = 4q. If there is no solution, continue to the next D. If a solution is 
found, check whether q + 1 ± x satisfies the restrictions for the order. 

If q is not fixed, it is more efficiently to fix D instead of the previous method. First, fix D satisfying (flj. 
Next, generate u, v at random and calculate q from Q and q + 1 ± u; repeat until the required restrictions 
are met. Some improvements of this method are suggested in |11) and |12) . In essence, these improvements 
implement the following idea: one can select parameters u, v less randomly and guarantee the absence of small 
prime divisors of q — - and q + 1 ± u (or, at least, decrease the probability of such divisors). As an 

example, assume the following restrictions: p is odd and one of q + 1 ± u is an odd prime (that is the case in 
[H]). It is easy to see that D = 5 (mod 8) and u, v must be odd. [T^] suggests starting from u = 210tio + 1, 
v = 210{)o + 105, uo, Vo are random integers; if the initial values are bad, continue with adding to u numbers 
106 and 104 = 210 - 106 in turn. Note that 210 = 105 • 2 = 2 • 3 • 5 • 7. This choice guarantees that g!±Mg! an d 
one of q + 1 ± u do not divide by 2, 3, 5, 7. The method from [TT] uses more small divisors and is cumbersome, 
so we do not quote it here. The performance of different methods is compared in [12] . 

The second stage consists of calculating the polynomial Hrj[j](x). Enumerate all reduced forms (there are 
h = \T-LdI °f them). Calculate their roots ti, . . . ,r^. Calculate the values j'(ti), . . . , j(t>j) as complex numbers 
with sufficiently large precision. Calculate the coefficients of the polynom H]j[j](x) approximately. If the 
precision is large enough, then possible error in coefficients is less than i and the exact values (which are integer 
numbers) can be calculated by rounding. 

For a number field M, a prime ideal € C Om and z € Om we denote by R<t{z) the reduction of z modulo €. 
So R.£ is a map from Om to a finite field. The map i?c also acts on polynomials from 0jif[i], reducing every 
coefficient. 

For the third stage we must show that the polynomial 

R p z(Hd[j](x)) 
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splits into linear factors in ¥ q . Also we must construct an elliptic curve by its j-invariant. 

Lemma [1] implies that pO = pp. Let 03 C Ol be a prime ideal lying above p. Since 03nZ = pnZ = pZ, we 
have 

h 

R pZ (H D [j](x)) = R<s{H D [j](x)) = l[(x - Bffl(j(«i))) (?) 

i=i 

so ii p z(if£)[j](a;)) splits into linear factors in Ol/03. Therefore, it remains to prove the following theorem. 
Theorem 1. 

O L /03 c F,. (8) 

Proof. Let c C O be a prime ideal unramificd in L. Let £ C Ol be a prime ideal lying above c. Let (j^^-j 

denote the Artin symbol [SJ §5] (it is defined for any Galois extension K C L, but we use it only for the 
fields K and L defined above), namely, the unique (0 Lemma 5.19]) element a £ Qal{L/K) such that cr(a) = 
a Norm(t) ( moc [ f or an y a e L _ Since G&\(L/K) = Hd is Abclian, the Artin symbol depends only on c 

([5J Corollary 5.21]) and can be denoted as ■ For a fractional O-ideal b — c^ 1 . . . c s k k we define {j^T^j = 

("^cT^) ' ' ' \ tk) ' ^ ne ma P \ ^ K ^) * s a homomorphism from the group of those fractional O-ideals whose 
factorization does not contain prime ideals ramified in L, to the group Gal(L/K). This homomorphism is called 
the Artin map. 

Let Pk,i{J) ([3 §9]) denote the subgroup of fractional O-ideals generated by principal ideals of the form 
aO, a £ O, a = a (mod /O) for some a £ Z with gcd(a, /) = 1. According to [5] §9], the ring class field L for 
Od is the unique abelian extension of K such that 

• all prime ideals O ramified in L divide fO (consequently, all ideals from PK,z{f) are unramified in L: if 
a = a (mod fO), then gcd(aO, fO) = gcd(aO, JO) = gcd(a, f)0 = O, so aO is prime to fO), 

• the kernel of the Artin map is Pr:,z(/)- 

Let 7T = u + v ^~d ■ Lemma [T] implies that either p n — ttO or jj" = 7rO. In both cases the ideal p n is principal and 

lies in P K ,z(f) ( this is cas y to see from * = = (mod fO),I = ee (mod /O), from 

the definition of Pic,z(f), Lemma [T] and ((3])). Therefore, p™ lies in the kernel of the Artin map. Equivalently, 

(^P^) = ^ ne au t omor phism {~^\ acts on Ol/^B as i i-> ^iVormfp) _ so ^ s p 0we r acts as 

x i— > x p = x 9 . This means that the operation x ^ x q acts trivially on Ol/5$, which is possible only if 
O/. >B : ,. " □ 

Using formulas from Proposition A. 1.1], it is easy to check that for j £ ¥ q or j £ C the following curves, 
defined over ¥ q or C respectively, have the j-invariant equal to j: 

2 _ ^.3 



1728-j ' 



• if the field characteristic is or greater than 3, when j =^ 0, j ^ 1728: y — x +3cx + 2c, where c 

• if the field characteristic is or greater than 3, when j — 0: y 2 — x 3, + 1; 

• if the field characteristic is or greater than 3, when j = 1728: y 2 = x 3 + x; 

• over the field ¥ q of the characteristic 2, when j £ ¥*: y 2 + xy = x 3 + j -1 ; 

• over the field ¥ q of the characteristic 3, when j £ ¥*: y 2 — x 3 + x 2 — j -1 . 

The missing cases with j = in characteristics 2 and 3 correspond to supersingular curves ([7, Exercise 5.7, 
Theorem 4.1]), so they cannot arise. 

For the fourth stage we must show that the curve E" (which is constructed in the third stage) has complex 
multiplication by Od (in particular, it is non-supersingular). 

It follows from the construction of the curve E" and from that the j-invariant of E" equals R<s(j(a)), 
where a is some proper fractional 0,o-ideal. Since j(a) £ Ol, there exists ([T51 §4.3]) a finite extension L' of L, 
a curve E' defined over U and a prime ideal 03' C Ol 1 lying above 03 such that j(E') = j(a) and the equation 
of E' reduced modulo 03' gives a non-singular curve (over a finite field). 

Since j(E') equals a singular value, E' has complex multiplication by Od- Since j-invariant of the reduced 
curve equals the reduced j-invariant (because j-invariant is a rational function in coefficients) and 03' HOl = 03, 
j-invariant of the curve E' reduced modulo 03' equals R<s'(j{a)) = R<s(j(a)) = j(E"). Two elliptic curves are 
isomorphic if and only if their j-invariants are equal ([7J Proposition III. 1.4]), therefore E" is isomorphic to the 
reduction of E' . Finally, Lemma [1] and the properties of the reduction ([8j Theorem 13.12]) imply that E" is 
non-supersingular and End(E") = End(£") = Od- 
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Therefore, the fourth stage starts with the curve E" defined over ¥ q , which has complex multiplication by 
Od- As shown above, the order of the curve E" equals q+l — u, where Aq = u 2 + \D\v 2 and gcd(g, u) = 1, but 
u, v are not necessarily equal to u, v. Let tt — u+v ^ ^ Od C O. Due to Lemma Q] there is either ttO = p n or 
ttO = p n . The same holds for ttO. Thus, there is either ttO = ttO or ttO — ttO. Since the norm of the Ou-ideal 
ttOd equals \Norm(7r)\ = q and is prime to the conductor / of the order Od, we have ttOd = kO fl Od (0 
Proposition 7.20]). Similarly, we have ttOd = nO D Od- Thus, there is either ttOd = ttOd or ttOd = ttOd- 
Equivalently, the number tt is associated either with tt or with tt in the ring Od- 

It is well known (e.g. [HI Proposition 13.1.5]) that the group of units in Od is {±1} if D ^ {—3,-4}, 
{±l,±C 3 ,±Cf} if D = -3, {±1,±*} if D = -4. Here ( 3 = e 2 ™ /3 = ~ 1+ 2 V ^ 5 . 

If D $ {—3,-4}, we have tt — ±tt or tt — ±tt. This corresponds to u = ±ii. Therefore, in this case 
|£"'(F g )| = q + 1 ± u. If |-E"(F g )| = q + l — u, the curve E" is the one we search for. Otherwise, we construct the 
quadratic twist of E" as follows. If p ^ 2, the normal Weierstrass form of the curve equation is y 2 = f(x), where 
/ is a polynomial of degree 3 with the high-order coefficient equal to 1 (in particular, the formulas above give the 
equation in this form), and the curve y 2 — c 3 f(x/c), where c is any quadratic non- residue in ¥ q , has the required 
order (|14jL If p — 2, the normal form is y 2 + xy = x 3 + a2X 2 + ciq and the curve y 2 + xy — x 3 + (a-2 + j)x 2 + a§, 
where Trf q /f 2 r j = 1, has the required order (|14jV 

If D = —3, the procedure for calculating Hd[]] yields the polynomial H-z\j\(x) = x, it has the only root 
j = 0. The formula ((BJ in this case is = 1 an d implies p = 1 (mod 3), in particular, p > 3. Any curve 

of the form y 2 = x 3 + b, b ^ 0, has the j-invariant equal to (0 Proposition A. 1.1]), and all such curves are 
Fq-isomorphic (because they have the same j-invariant). 

Let x be the unique multiplicative character on ¥ q of order 2. Let 82(b) = J2 x ew q x( x3 + It is easy to 
see that the order of the curve y 2 = x 3 + b is equal to q + 1 + ^2 (b) . The equality p = 1 (mod 3) implies q = 1 
(mod 3). According to [T5] (the article [U] considers only the case q = p, where \ is the Legendre symbol, but 
the arguments can be trivially generalized), there exist k, I G Z such that for any cubic non-residue c e F* the 
equalities S 2 (l) = 2k, S 2 {c 2 ) = -k±3l, S 2 {c- 2 ) = -k=f3l and q = k 2 + 3l 2 hold. Moreover, S 2 (b) = X (t)S 2 (bt 3 ) 
for any t e ¥*. 

The curve E" generated in the third stage is y 2 = x 3 + 1; therefore, u = — ^(l) = — 2k, q = k 2 + 3l 2 , 
/ = ± 2(c ' e 2(c — '- for any cubic non-residue c in ¥ q . Since \tt\ — q, it follows that 7r = — k ± ly/—3. Replacing 
c to c _1 if needed, we obtain n = — k — ly/— 3, I — S2< * c ^~g 2 ^ c — -■ 

Either 7} or tt equals the product of tt and some unit of O-3. In both cases u = 2Rc7T equals twice the real 
part of the product of tt and some unit. Thus, there are 6 possible variants for u: 

• u = 2Re7T = ±2Rc7r = ±2k. In this case we search for a curve of order q + 1 ± 2k. One of curves 
y 2 = x 3 + 1 and y 2 — x 3 + g 3 , where g is any quadratic non-residue in F g , gives the answer. 

• u = 2Re7r = ±2Re(C3)7r = ±(fc + 31). In this case we search for a curve of order q + 1 ± (k + 31). One of 
curves y 2 — x 3 + c 2 and y 2 — x 3 + c 2 g 3 gives the answer. 

• u = 2 Re tt = ±2 Re(Cf7r) = ±(fc — 3/). In this case we search for a curve of order q + 1 ± (k — 31). One of 
curves y 2 — x 3 + c~ 2 and y 2 = x 3 + c~ 2 g 3 gives the answer. 

If D = —4, we similarly have H-4,\j](x) = x— 1728 with the only root j = 1728. The formula © in this case 

is (^~[f S ) = 1 an d implies p = 1 (mod 4), in particular, we still have p > 3. Any curve of the form y 2 = x 3 + bx, 

b 7^ 0, has the j-invariant equal to 1728 ([7, Proposition A. 1.1]), all such curves are F g -isomorphic (because they 
have the same j-invariant). 

Let S\(b) = J2xe¥ x( x )x( x2 + &)) where x is the unique multiplicative character on F g of order 2, as above. 
It is easy to see that the order of the curve y 2 = x 3 + bx equals q + 1 + Si (b). The equality p = 1 (mod 4) 
implies q = 1 (mod 4). According to [16], there exist k, I € Z such that k is odd, S\(l) = 2k, S\(b) — ±21 for 
any quadratic non-residue b and 6*1(6) = x(t)Si(bt 2 ) for any t G F* 

The curve E" generated in the third stage is y 2 = x 3 + x; therefore, u = — Sx(l) — —2k, q = k 2 + I 2 . Since 
|7r| 2 = q, it follows that tt = — k ± li. 

Similarly to the previous case, there are 4 possible variants for it: ±2Re7r = ±2k and ±2Re(i7r) = ±21. If 
u = ±2k, one of curves y 2 — x 3 + x and y 2 = x 3 + g 2 x, where g is any quadratic non-residue in ¥ q , has the 
required order. If u — ±21, one of curves y 2 = x 3 + gx and y 2 — x 3 + g 3 x has the required order. 

2.3 Some known optimizations 

The coefficients of the polynomial Hd[]] grow quite fast with \D\. For example, H-^[j](x) = x 2 — 425692800a; + 
9103145472000. Consequently, it is useful to search for another functions with singular values in L, which have 
a smaller height of the characteristic polynomial. 
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Let z € H, q = e 2jrlz . Let us introduce some functions following [BJ: 



71 — — OO 



72(2) 



= P 24 



■ fi(^) = 

f 24 -16 f 24 + 16 



f 2 A + 16 



T)(z) ' 



(9) 



f fi fl 

Let AT be a natural number. We define a N -system (following [T7]) as a set of forms (Ai, B±,Cx), 
(A h ,B h ,C h ) such that 

• the set {i)(Ai, B4, Cj) : 1 < i < h} is the complete system of representatives of the group TLd, 

• the relations 

gcd(Ai,N) = l; Bi = Bj (mod 2N) 

hold. 

Note that for any form (Ai, Bi, Ci) the congruence Bi = D (mod 2) is true, so the first condition implies that 
Bi = Bj (mod 2) for any 

If a set of forms satisfying the first condition is known, it is easy to construct a iV-system. For example, the 
complete set of reduced forms can be used as a starting point. The corresponding algorithm can be found in 
[T71 proof of Proposition 3]. (We assume that the prime factorization of N is known.) 

1. First, achieve the condition gcd(Ai, N) = 1 for all i. 

Obviously, it is sufficient to solve the next task: achieve gcd(Aj, NqI) = 1 assuming that gcd(Aj,iVo) = 1, 
where I is the next prime divisor of N not dividing Nq. 

The number I can not divide all of numbers Ai, Ai + NoBi+NgCi, l 2 Ai + lNoBi + JV 2 Ci, because otherwise 
the numbers Ai, Bi, Ci would have the common divisor I and the form (A4, Bi, Ci) would not be primitive. 

• Assume I \ A^. Then the condition gcd(Aj, NqV) already holds. 

• Assume I \ Ai + N$Bi + N^Ci. Change the variables x = x' , y — Nqx' + y' and replace the current 
form with the new form (obviously, it is equivalent). 

• Assume I \ l 2 Ai + IN^Bi + N^Ci. Find a, b £ Z such that al — bNo — 1, change the variables 
x = lx' + by', y = Nqx' + ay' and replace the current form with the new form (obviously, it is 
equivalent). 

2. Next, achieve the condition Bi = B\ (mod 2A^) for all i. The change of the variables x = x' + ay' , 
y = y' transforms the form (Ai, Bi,Ci) to the equivalent form (Ai,Bi + 2aAi,Ci + aBi + a 2 Ai). Since 
gcd(Ai, N) = 1, it is sufficient to apply this transformation with a — A^ 1 Bl ^ Bi mod N. 

Theorem 2. (\ 17[ Theorem 1]) Let a £ H be the root of the form 

(A,B,C), 2\A, 32 I B, 
with the discriminant B 2 — AAC = D = —Am, m, £ N. Let g(a) be defined by the following formulas: 

1 



3 j 7S ,(a)2 



a) vi Ka) 



1 

A] V2 



1 



A J 2y/2 



fi(«) : 



fi(«)' 



m = 


1 


(mod 8), 


TO 


3 


(mod 8), 


in = 


5 


(mod 8), 


TO = 


7 


(mod 8), 


TO = 


2 


(mod 4), 


TO 


4 


(mod 8). 



Then g(a) £ Ol- 

If a± = a, . . . , ah are roots of the elements of 16-system, the singular values g(cti) form the complete set of 
different conjugates over Q. 
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Theorem 3. (fH\ Theorem 2]) Let a £ H be the root of the form 

(A,B,C), 3\A, 3 1 B, 
with the discriminant B 2 — A AC = D. Then 



Q(7a(«)) 



Q(j(a)), 3\D, 
Q(j(3a)), 3\D. 



Moreover, if 3 \ D and ct\ — a, . . . , ah are roots of the elements of 3-system, the singular values 72(0^) form 
the complete set of different conjugates over Q. In addition, 72 {cti) are algebraic integers. 

Let pi, P2 be prime numbers. Following 118] , we introduce the function 

^ (pi ) ^ (^2 , 



(z)n ( -^-) 

V I I \p1p2 J 



and define s — — , 24 .w nr- 

gcd(24,(pi-l)(p2-l)) 

Theorem 4. fflSl Theorems 3.2, 3.3, Corollary 3.1]) Let D satisfy ([1]), N —p\p2, p\ and P2 are primes such 
that 



either 2a) (^\ = 1 if pi = p 2 = p, or 2b) p\f if p x =p 2 =p. 



Then there exists a form (Ai, B±,Ci) such that gcd(Ai,iV) = 1 and N | C\. Let c%\ € H be the root of this 
form. The singular value P2 (ai) lies in L. All conjugates over K to m pl P2 {oti) are mp l P2 (a!j), where on are 
roots of elements of N -system. The numbers m pi P2 (oti) are algebraic integers. 

If one of conditions 1) and 2a) holds, the numbers m pi P2 (ch) are units (i.e. the numbers m p * p2 (ai) are 
algebraic integers too). 

If primes p\ and P2 satisfy the stronger condition: 

' {ir) ' {pi ) ^ _1 and PXlP2 t f when Pl ^ P2 ' 

• ( =1 or p I / when p 1 = p 2 = p ^ 2; 

• either (-j) — 1, or 2 | / and D ^ 4 (mod 32) w/ien p\ = P2 = 2, 

i/ien i/ie complex conjugation rearranges xn s pi P2 {on). 

We need more precise statements for the following. The formulations of theorems [2j [3l |4] do not give the 
full information regarding the action of Gal(X / K) on singular values. However, the proofs from the articles |17] 
and [181 contain this information. 

Statement 1. (\ 17\ Theorem 7]) Let 9 be the function from one of theorems^ [3J [^] (in the last one the weak 
condition on p\, P2 is sufficient). Let a, b be two elements of the N -system from the same theorem. Let a be 
the root of a, (3 be the root 0/ b, A : Hd G&\(L/K) be the canonical isomorphism. Then 

This formula holds for 9 — j too, as mentioned above. 

It is more convenient to use Statement Q] in the form of a formula which specifies the action of a given 
automorphism from G&\(L / K) on a given singular value. We remind that f) is surjective and iV-system contains 
representatives of all classes in T-Ld- 

Corollary 1. Let 9, N -system and a be the same as in Statement^ Let c G Hd- Then there exists a form b 
from the N -system such that 

f)(b) = (Ka)c- 1 . 

// j3 is the root of b, then 

9(a) n ^ = 9{(3). (10) 
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Further for the function p2 we assume that p\ and p 2 satisfy the strong condition of the theorem; it is 
easy to see that such primes can be found for any D. 

Theorems [5] and [3] can be joined: if the discriminant D and the form (A, B, C) satisfy the assumptions of 
Theorem [5] and also 3 \ D, 3 j A, 3 | B, then the function g(a) can be defined without the exponent 3 and the 
consequence of Theorem [2] still holds. For example, let us consider the case m = 3 (mod 8). According to ([9]), 

(f(a) 3 ) 8 -16 

Since f(a) 3 £ L and 72(a) £ L, we have f(a) £ L. Statement [T] now implies that any automorphism from 
G&\(L/K) maps f(a) 3 to f(a') 3 and 72(a) to 72(0;'), where a' depends only on the automorphism; (jlll) implies 
that f(a) is mapped to f(a'). Finally, f(a) is an algebraic integer e.g. as a cubic root from f(a) 3 which is an 
algebraic integer due to Theorem [5] In other cases formulas are slightly more complicated, but the reasoning is 
the same. 

Let 9 and a* = {ai, . . . , a^} be the function and the set of roots from one of theorems [2HU Let us consider 
the polynomial in one variable 

h 

H D [9,a*]{x) = JJ(x-fl(oi)). 

i=l 

This polynomial has integer coefficients. For functions from Theorems [5] and [3] this follows directly from the 
consequence of theorem. For 9 — m pi p2 it is easy to see from Statement [T] that Hd[9, a*] is invariant under 
G&\(L/K) and therefore is in K[x] and it remains to apply Theorem [4] 

For example, H- 40 {j 2 , a*](x) = x 2 - 780x + 20880, H- i0 [g, a t ](x) = x 2 - x - 1 with g(a) = (-|) ^fi(«) 2 , 
H-4o[m.5,7,a*](x) = x 2 — x — 1, iJ_ 4 o[mn43, a*](x) = a; 2 ± 2x + 1. (The choice of a* does not affect the 
polynomial in first three cases; there are two variants for the polynomial depending on a* in the last case.) 
The last example shows that the values of P2 (on) can coincide, so in the general case Hr)[m pi P2 ,a*] is some 
power of the minimal polynomial. 

Since the polynomial Hrj[9,a*] has integer coefficients similar to Hr>[j], it also can be calculated by cal- 
culating sufficiently accurate approximations to the singular values 9{a,i), multiplying factors x — 0{oti) and 
rounding coefficients to integers. Since 0(cti) £ Ol, it has a representative in Ol/*B C F g (Theorem Q]) , so 
the reduction of Hd[9, a*](x) modulo p splits into linear factors in ¥ q . It remains to calculate the j-invariant 
by the reduction of 9{ai) in ¥ q . The formulas (0) give the answer for 9 = 72 and 9 being a power of f from 
Theorem[5] The situation for 9 = m pl p2 is more complicated. There exists the polynomial & Pl . P2 (x, y) £ Z[x, y] 
such that the identity ^ Pl , P2 (vn pl P2 (z), j(z)) = holds ([13). Substituting z = on and reducing modulo *B 
(since 53HZ = pZ, it is sufficient to reduce 3> Pl ,p 2 modulo p), we obtain a polynomial equation for the required 
j-invariant. Solving this equation gives several variants for the j-invariant. The correct one can be selected e.g. 
as follows: construct an elliptic curve (and its quadratic twist) for every variant and check whether its order 
equals q+l — ii. For example, cryptographic applications require that q + 1 — u has a large prime divisor; in this 
case a simple test (q + 1 — u)P = for a random point P is good for eliminating wrong candidates. Note that 
the right order does not guarantee that the endomorphism ring is precisely Od , but such a subtle difference is 
usually not important; more detailed discussion can be found in |18j . 



3 Properties of the isomorphism Q 

We recall that the group Hd is the factorgroup of the group I(Od) of proper fractional 0£>-ideals by the 
subgroup P{Od) of principal ideals. 

An 0£>-ideal G is prime to f when a + fOo = Od- This is equivalent to gcd(Norm(a), f) = 1, and every 
ideal prime to the conductor is proper ([51 Lemma 7.18]). Let I(Od, f) denote the subgroup in I{Od) generated 
by ideals prime to /. Let P(Od,/) denote the subgroup in P(Od) generated by principal ideals aOn with 
gcd(A^orm(a), /) = 1. The inclusion I(O d J) C I(O d ) induces an isomorphism I(O d , f)/P(0 D , /) = H D {]B 
Proposition 7.19]). 

An O-ideal a is prime to / if and only if gcd(Norm(a), f) = 1 ([5J Lemma 7.18]). Let l(0,f) denote the 
subgroup of fractional O-ideals generated by ideals prime to /. We recall that Pk,z{I) denotes the subgroup 
of O-ideals generated by principal ideals of the form aO with a £ O, a = a (mod fO) for some a £ Z, 
gcd(a, /) = 1. The map il± : a n- aO gives a group isomorphism I(Od, f) —> 1(0, f) which preserves the norm 
(0 Proposition 7.20]). In addition (0 Proposition 7.22]), Hi induces an isomorphism I(Or>, f)/P(On, /) — 
I(OJ)/PkM- 

Thus, we have an isomorphism VL 2 :1-Ld -> 1(0, /)/Pjr,z(/)< The Artin map 1(0, f) -> Gal(L/K) (denoted 
as (^—^j) induces an isomorphism 1(0, f)/PK,z(f) Gal(L/K). The composition of the last isomorphism 
with O2 is the canonical isomorphism referenced in Statement Q] ( ]5 , §9]). 
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Let us sum up the above maps. There exists a commutative diagram 

I(O d ) D I(O d J) I(OJ) 

\ \ \ 
H D - I(0 D J)/P(0 D J) I(OJ)/P K , z (f) »Gel(L/K) (12) 



where vertical arrows denote projections of a group to its factorgroup and horizontal arrows in the second line 
are isomorphisms. 

Theorem 5. Let (A,B,C) be a form with gcd(A,D) = 1. Let q \ D be an integer satisfying one of the 
conditions: 

• \q\ is an odd prime, 9 = 1 (mod 4); or 

• q G {-4, ±8}, f = (mod 4) or ^ = 1 (mod 4). 
Then 

1. ^qeL. 

2. a = (A, - B + v7? ) z € I(O d , f), Norm(a) = A. 
3. 

' L/K 



(Vq) = (£) 



Proof. The first assertion follows from [H Theorem 2.2.23 and (2.2.8)]. 

[51 Theorem 7.7] implies that o is a proper On-ideal. Its norm is |0£>/a| by definition; it is easy to see that 
every coset in Op/a contains exactly one integer from 0, . . . , A — 1, so Norm(a) = A. Since gcd(A, /) = 1, the 
ideal a is prime to /. The second assertion is proved. 

Let f2i(a) = px ■ • - ps, where pi are prime O-ideals (not necessarily different). Since 

A = Norm(a) = Norm(pi) . . . Norm(p s ) 

and the Kronecker symbol is multiplicative, it is sufficient to prove that for every prime ideal p dividing Oi(a) 
the equality with the Artin symbol 



^ = I Jtagj V* (13) 



holds. The left-hand side is an image of y/q under an automorphism, so it must be one of ±y*q. 

Assume first that p | f2i(a), pflZ = pZ, p is odd. Let 03 be a prime O^-ideal lying above p. Since 
gcd(A, D) = 1 and q \ D, we have 2^/q ^ 05 and therefore ^fq ^ — ^fq (mod 05). By definition 



J iVQ) = VQ = 9 2 Vq (mod 03). 



If the ideal pO is prime (i.e. p = pO), then Norm(p) = p 2 and the right-hand side of (fTB")) equals ^fq. On 

the other part, q 2 P = (q^ 1 )^ = 1 (mod p), so the left-hand side of (fTB")) is congruent to ^fq modulo 
05 and therefore is equal to ^fq. Thus, (fTB")) is proved in this case. 

If the ideal pO is not prime, then Norm(p) = p and the right-hand side of (JT3J) equals ( |-J ^fq. On the 
other part, q 2^ = q E z~ = (mod p), so the left-hand side of (fTB")) is congruent to (jL*J ^/q modulo 03 

and therefore is equal to ( |*J ^fq. Thus, (fTB")) is proved in this case too. 

Assume now that p | f2i(a), p n Z = 2Z, a prime 0L-ideal 03 lies above p. In this case 2 | A, the assumption 
of theorem implies that 2 { D and q is odd. Since B 2 — AAC — D, we have D = B 2 = 1 (mod 8). Thus d = 1 
(mod 8) and the ideal 20 is not prime (0 Proposition 13.1.4]), so Norm(p) = 2. Therefore, the right-hand 
side of (fTB")) equals (|) y/q. To calculate the left-hand side of (fTB")) . consider 
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This expression must be equal to one of —j-^-, two possible values are different modulo 03. By definition 
(L/K\ (l + ^q\ _ + _ q-1 1 + y/q 



(mod 93). 



If (|) = 1, then q = 1 (mod 8), ^j- is even and hence lies in 03. If (§) = —1, then q = 5 (mod 8), S^— is odd 
and therefore is congruent to — 1 = 1 modulo 03. In both cases there is 



which implies (|13p . □ 

Lemma 2. Let d < satisfy one of conditions ^ and ([3]). There exists the unique (up to the order of factors) 
representation of d as the product 

d = q 1 ...q t , 

where all q* are pairwise relatively prime, 

q* = (-l)^q, 
if q > is an odd prime, and q* G {—4, ±8} if q = 2. 

Proof. The uniqueness is obvious, we need to prove the existence. 

If d satisfies ([3]), the prime factorization of d has the form d = —q\ ■ ■ . qt, where qi arc different odd primes; 
since q* — ±q<j, it follows that d = ±q* ...q%; finally, the sign is correct due to d = 1 (mod 4) and q* = 1 
(mod 4) for all i. 

Assume that d satisfies ©. The prime factorization of 4 has one of the forms 4 = —q\ . . .qt-i or 4 = 
— 2qi . . .qt-i, where qi are different odd primes in both forms. If j is odd, similarly to the previous case we 
obtain | = ±q* . . but this time © implies f ^ 1 (mod 4), so the sign is Multiplying by 4, we 

obtain the assertion of the lemma. Finally, if | is even, we have j = ±2q^ . . . q%_ 1 . Selecting the correct sign in 
q% = ±8, we obtain the assertion of the lemma. □ 

It is easy to see that the numbers q* from Lemma [21 satisfy the assumptions of Theorem [S] Therefore, 
K(^/qf, . . . , ^/qf) C L. The field K(^/qJ, . . . , ^/qJ) depends only on the field K (which defines d but not /) 
and is called the genus field for K. Hereafter we use the notation 

K(y/qf, . . . , = K G . 



4 Ring of algebraic integers in the genus field 

Let q* be as in Lemma O There are three cases. 

1. All \qi\ are odd primes. 

2. q* t = ±8. 

3. q* = -4. 

We need to know a basis of algebraic integers in the field Kg over Z. Since d = q*...q^, we have \fd € 
Q(yii, • ■ • , y/qf) and therefore Kg = Q(-v/<Zi, • ■ • , y/qf). The formulas are slightly different in different cases, 
so we consider each case separately. 

Lemma 3. Let M be a number field. Let p £ 7L be a prime such that the ideal pZ is unramified in M . Let 
c G M satisfy the condition pc 2 G Om ■ Then c G Om ■ 

Proof. Assume that c G" Om- The fractional ideal cOm has the factorization to the prime ideals cOm = 
ql 1 . . . q^", where are pairwise different and si < 0. The degree of qi in the prime factorization of pOm is 
at most 1 because pOm is unramified. The degree of qi in the prime factorization of c 2 Om is at most —2. 
Therefore, the degree of qi in the prime factorization of pc 2 Om is negative. The contradiction with pc 2 G Om 
proves the lemma. □ 

Theorem 6. Let qi,...,q r be pairwise different integers such that \qi\ are odd primes and qi = 1 (mod 4). Let 
ai — and &i = . Then: 

1. The set {a^ 1 . . . a s r T : (s\ , . . . , s r ) G {0, l} r } is a basis of integers in the field Q(\/qi, ■ ■ . , \fq\-) over Z. 
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2. The set {a^aj Sl . . . a s /a], Sr : (si, . . . , s r ) £ {0, l} r } is a basis of integers in the field Q{\/qi, . . . , \/qT) 
over Z. 

Proof. We prove the theorem by induction on r. For r — the theorem is trivial. Assume that the theorem is 
proved for all fields Mj = Q(y/qi, . . . , y/qi) with i = 1, . . . , r — 1. 

Lemma 4. Let p G Z be a prime not dividing any of numbers q\,. . . , <? r _i. TTien i/ie ideal pi is unramified in 
M r -\. 

Proof. It is sufficient to check that any prime ideal of the field Mj_i dividing p0Mi_i is unramified in M; = 
Mi_i(Vft) for all 1 < » < r - 1. 

Let p be a prime ideal of the field Mj_i such that p fl Z = pZ. The extension Mj_i C Mj is generated by 
a,; the inductive hypothesis implies that is a basis of 0M;/Om;_i- The only nontrivial automorphism in 

Gal(Mj/Mj_i) transforms this basis to (l,a<j). According to [501 Propositions III. 8 and III. 14], p is unramified 

if p does not divide det = (a* — d^) 2 = q L . This is true, because p does not divide qi. □ 

Apply Lemma U to p = \q r \. The factorization of q r OM r ~! in the prime ideals does not contain squares. In 
particular, \fq r £ M r _i because otherwise g r CA/ r _i = (V^tCa^-i) 2 - Therefore, (l,a r ) is a M r _i-basis of M r . 

Let a + 6a r be an algebraic integer and a,b £ M r _i. The number a + 6(1 — <x r ) is conjugate to a + 6a r 
and hence is also an algebraic integer. Thus, their sum x = 2a + b and product y = a 2 + ab + b 2 are also 
algebraic integers and lie in 0M r _i- Furthermore, x 2 — Ay = q r b 2 £ Om t - x - Lemma [3] implies that b £ Om t ^ x - 
Thus, 2a € Mr _i, a 2 + ab £ Mr _„ 2a 2 = 2(a 2 + ab) - 2a ■ b £ Mr - X - Applying Lemmas H and [3J to p = 2, 
we obtain a £ Qm t -i- So if a + ba r is an algebraic integer and a, 6 £ M r _i, then a, 6 £ Qm t -i- The converse 
assertion is obvious, so (1, a r ) is a 0M,._i-basis of Ou r - This proves the inductive step for the set {o^ 1 . . . af. r }. 
To prove the second assertion of the theorem it is sufficient to note that (1 — a r , Oi r ) = (i(l — y/q^), 1(1 + VOr)) 
also is a Om^i -basis of Ou r - d 

Theorem 7. Let q\,... ,q r -i be the same as in Theorem^ and q r — ±8. Let a r — \J~^f- Then: 

1. The set {a^ 1 . . . a s r T : (si, . . . , s r ) £ {0, l} 1 "} is a basis of integers in the field Q(y/qi, ■ ■ . , \fq\-) over Z. 

2. The set 

{5; i ai- l ...5X~i«i=! r " 1 «; p :(«!,..., fir) G {0, l} r } 
is a feasis of integers in the field Q(v?i) • • • > y/Qr) over Z. 

Proof. Let M = Q(%/5l) • • • j y/Qr-i)- Apply Lemma 2] with p = 2 and Theorem [5] The ideal 2Z is unramified 
in M. As shown above, this implies that yfq\ £" M and (1, \fq\-) is a M-basis of M(y / ?r~). 

Let a + ba r be an algebraic integer and a,b £ M . The number a — ba r is conjugate to a + ba r and 
therefore is also an algebraic integer. Thus, their sum 2a and product a 2 =p 2& 2 are algebraic integers and 
lie in M - Furthermore, (2a) 2 - 4(a 2 =F 26 2 ) = ±2(26) 2 £ O m , with Lemma [3J this implies 2b £ M - Now 
2(a 2 T 26 2 ) ± (26) 2 = 2a 2 £ O u , with Lemma [3J this implies a £ M - Finally, a 2 - (a 2 T 2fe 2 ) = ±26 2 £ O m , 
with Lcmma[3Jthis implies b £ Om- Therefore, (1, a r ) is a ©M-basis of the ring of integers in M(y/q^). Use of 
Theorem \6\ concludes the proof. □ 

Theorem 8. Let q\, . . . , q r -\ be the same as in Theorem^ and q r = —4. Let a r = \J~^f = i- Then: 

1. The set {aj 1 . . . a s r r : (si, . . . , s r ) £ {0, l} r } is a basis of integers in the field Q(y/qx, • ■ • , \/qr) over Z. 

2. The set 

r -si 1— si ~s r _i 1 — s r -i s / \ r rn -iiri 

{a^aj l ...a r _ 1 a r _ 1 a r r : (si, . . . , s r ) £ {0, 1} } 
is a basis of integers in the field Q(\/qi, ■ ■ ■ , \fq\-) over Z. 



Proof. Let A/ = Q(y/qi, ■ ■ ■ , -y/Sr-i)- The identity 2 = + i) 2 shows that the ideal 2Z is ramified in any field 
containing i. Lemma 0] and Theorem [5] imply that 2Z is unramified in M. Therefore, i M. 

Let a + hi be an algebraic integer and a, 6 £ M . The number a — bi is conjugate to a + bi and therefore is 
also an algebraic integer. Thus, their sum 2a and product a 2 + b 2 are also algebraic integers and lie in Om- 
Furthermore, 2(a 2 + b 2 ) + 2a ■ 2b = 2(a + b) 2 £ Om, so Lemmas U] and [3] with p = 2 and Theorem [S] imply that 
a + b £ Om- Now 2a - (a + b) = a - b £ O m , (a + b)(a - b) = a 2 - b 2 £ O m , 2a 2 £ O m , 2b 2 £ G M - Applying 
Lemmas SI [3J and Theorem [S] again, we obtain a,b £ Om- Thus, (l,a t ) is a ©M-basis of the ring of integers in 
M(y/cfr). Use of Theorem |5] concludes the proof. □ 
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Let © denote the addition of integer numbers modulo 2. 

In each case we have [Kg '■ Q] = 2*. Thus, y/g* ^ Q(. . . , ^/g*_ l7 . . . ) for any 1 < j < t. Therefore, 

Gal(ifG/<Q)) has t elements Tj with the following action: 

T i (V^) = ~V^' Tj ) = ^ f ° r 1 ^ J - (14) 

Let 

7-;=7f...7f GGal(K G /Q) 

for G {0, 1}*. Comparing the action of on y^f, it is easy to see that are pairwise different. We obtain 
2* = | Ga.\(Kc /Q)\ different elements of G&\(Kg/Q), so this group does not contain other elements. 

The theorems above give a Z-basis of Ok g ■ We also need the intersection Ok g H R (obviously, it is the 
ring of integers in Kg D R) and the intersection 0_k- g n iM. (obviously, it is a Z-module). There is at least one 
negative q*. Let u be the number of positive q*, < u < t. We assume without loss of generality that q* > 0, 
•••,«£> 0, gSS+i < 0, ...,<£< 0. _ 

The complex conjugation acts on v/gf same as the composition r u+ i . . . r t . Since iQj n M is the fixed field 
of the complex conjugation restricted to Kg, the group Gsl\((Kg fl R)/Q) is isomorphic to the factorgroup of 
Gal^c/Q) by the subgroup generated by the complex conjugation. We select an element with \i t = as a 
representative in each coset and obtain that Gal((KG H R)/Q) consists of the automorphisms 

rx=T Xl ,..., Xt _ 1 =T' Xu _ Xt _ u0 =rt...r^- 1 1 (15) 

for A G {0, l}*^ 1 , t\ are pairwise different for different A. 

Note that \[d has two possible values. Further we select the value that equals the product \fq\ . . . y/qj, 
where the values of individual square roots are the same as in definition of a,i and a j . 

Theorem 9. Let q\,...,q^ be as in Lemma\^ odd and numbered so that q* > for 1 < i < u, q* < for 
u < i <t, where < u < t — 1. Let K G = Qiy^qJ, • • • , \/qJ)- Let t\ be defined by ([15)) . 

1. Define 



Ai,...,st-i — Psi,...,s t -i (?i , • ■ • , <Zt ) 

= ( n^^ 184 ) ( ( n & i ia i~ si ) a t + ( n a^ 1- ^ ) 

\i=l / \ \i=u+l / \*=u+l / / 

The set {/3 Sll .... St _ 1 : (si, . . . , St-i) G {0, l} t_1 } is a Z-basis of the ring of integers in Kg H R. 
2. Define 

Psi,...,s t -i = ^*i,...,a t _i • • • i 9t) 



\z— 1 / \ \i— u-\-l / \i— u+1 

The set {(3* ± St l : (si, . . . , St-i) G {0, l} t_1 } is a Z-basis of the Z-module Ok g H ' 



5. for ari!/ 77, ^ G {0, 1} 



E (-ir + - +pt - i r A1 (/3 rji ,...,r) t -l /^i ,...,f t _i 

^efo,!}'- 1 



v^, if r) = v, 
0, otherwise. 



Proof. Let s be the element of the basis from second assertion of Theorem [5] corresponding to the set 

(si,...,s t ). 

A number from Ok g is in Kg H R if and only if it is invariant under the complex conjugation. It is easy 
to see that the complex conjugation maps fi ai St to i_ 8u+1) i_ St ■ Thus, a Z-linear combination of 

P'sx,...,s t IS invariant if and only if coefficients of f)' ax at and au ,i-s u +1 ,...,i-s t are ec t ua l f° r an y set (si). 

Now Theorem [S] implies that {f3' Sl St l + P' Sl Su i_ Su+1 i-s t _i 1} * s a required basis. From the definition 
of f3' it is easy to see that this sum is equal to f3 Sl> ,,, tSt _ 1 . This concludes the proof of the first assertion. 

A number from Ok g is in Kg H iM. if and only if it changes the sign under the complex conjugation. 
Similarly to the first assertion, we obtain that {j3' ai St l — /3' Sl Su i- s „ +1 i-s t -i 1} ^ s a required basis. From 
the definition of f3' it is easy to see that this difference is equal to ±fl ai ... a . This concludes the proof of the 
second assertion. 
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The last assertion is checked by a direct calculation. It is easy to see that 



f m (A, 



n 

\i=l 



OfiiBm Q ,i-(wffi'?<) 



n 

vt=u+l 



' t-i 

n 

V,i=u+1 



^(^....^-O'fnc- 1 ) 



«i I «< 

i=u+l / / 



Substitute these formulas to the product T ([1 (^ ll ... iJ?t _ 1 )T (Ll (^* 1 ,/_!)) obtain the formula of the form (a+b)(c—d). 
Expand it and obtain four operands ac + bc — ad — bd. Let Sij be the Kronecker delta: 6u = 1, Sij = if i ^ j. 
Note that 



1 



i/ i ^(/iier7i)+(/i i ®i'i) rv 1 -(w©'?<)+l-(w©i / *) 



(-1)"' (af ^^(^J - a?- ( ^ + - ) ar + -) = ^ (a? - a?) 



-l+rii — Ui 1 — rji+Ui \ 

a„ ■ a, ' - 



= 5, 



and transposing of on with gives two more products with values multiplied by (— 1). 
Therefore, 



8* 



'ni,---,rit--Lr'i'i, 



-0 



t-1 



t-1 



\i=l 



t-1 



a t a t 



n K 



t-i 



V % 



i— ii+1 



n (-v.v^ 



i— ti+l 



The sign of the product q* . . . g£ is dehned by the parity of the number of negative factors. There are t — u 
negative factors, so the inequality q* . . . q\ — d < implies that t — u is odd and Ili=u+i(~ -0 = ( — -*-) 



t-u-1 



1. 



J7i,...,J7t-i^i/i,...,i/ t _ 1 



Mela,!}'- 1 



n 

M=u+i 



?f n ^ 



i=l 



□ 



Theorem 10. Lei qi,, ■ ■ ■ , q*t ^ e ^ e same as * R Theorem^ and q\ — 8. Lei a* oe numbered so that q* > for 
1 < i < u and q* < for u < i < t, where 1 < u < t — 1. Lei i^c = Q(\/9i> • • • > V^t)' T ^ ^ e defined by 
T3. 
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1. Define 



\i=2 / 

/ / t-1 



T/ie set { i 5 Sl> ... iSt _ 1 : (si, . . . , St_i) G {0, l} t_1 } is a TL-basis of the ring of integers in Kq n . 
2. Define 



/3; 1 ,..., st _ 1 =/3; 1 ,..., st _ 1 (^,... 1 g t *) = V2 1 81 (II(-^) S<Q 



vi=2 / 

/ t-1 \ / t-1 



X 



n kn^ n (-«*)** at 



Li-n 



TTie set {^J s _ : (si, . . . , St_i) € {0, 1}' } is a %-basis of the %-module Ok g H '• 
5. for any 77, 2/ G {0,l} t_1 



.fn U*-i 



M£{0,1} 



0, otherwise. 



Proof. The arguments are similar to Theorem [9j Calculating the expression from the third assertion yields an 
additional factor 



□ 

Theorem 11. Let g^, . . . ,5^-1 ^ e ^ e 5a?7le as i n Theorem^ and gj" G {—4, —8}. Let g* be numbered so that 
q* > for 1 < i < u and q* < for u < i < t, where < u < t — 2. Let -Kg = Q(v9i' • ■ • j V<?t )■ t a ^ e 
defined by (1151) . 



Define 

= Ai,.., Si -i (V^t, • • • , V^) = II 5 i <a i" 

\i=i 

f[ ^aj"^ j at-iaj*- 1 + ( [J ^"""i' ] ^-i("«*) St - 1 



\i=l / 
t-2 \ / t-2 



\z— / \«— U+l 



T7ie set {/3 S i,....s f _i : (si, . . . , St_i) € {0, 1}' } is a 1-basis of the ring of integers in K, 



a 



2. Define 

/3: 1 ,..., st _ 1 =/3: 1 ,..., st _ 1 (V9t>--->v / ?) = (nc-fii)* 1 ^" 

\i=i 



t-2 



\i— u+l / \z— 

u-n 



T7ie set {/3* _ a : (si, . . . , St_i) G {0, 1}* x } is a TL-basis of the %-module Ok g 
3. For any T], v G {0, l} t_1 



«7i,.")l7t— i^«i,...,i't- 

M6{0,1}* _1 



0, otherwise. 
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Proof. Let (3' Si s be the element of the basis from second assertion of Theorem [5] corresponding to the set 
(si, •••,«*)■ 

A number from Ok g is in KqC\M> if and only if it is invariant under the complex conjugation. It is easy to see 
that the complex conjugation maps /3' Sl St to (— l) St l3' Si Su i_ Su+1 1 _ St l St . Thus, a Z-linear combination of 
/Sgj ai is invariant if and only if coefficients of /3g i St and /3' Sl i ..., Sui i_ Su+1i , St are the same for at = and 
differ in the sign for s t — 1. Now Theorem [8] implies that {P' Bl Bt _ 3i o Bt + (~l) St /3s 1 ,... lSu ,i- Su+1 ,...,i- St _ 2 ,i,s t } i s 
a required basis. From the definition of j3' it is easy to see that this sum is equal to $ si ,...,s t - 2 ,s t - This concludes 
the proof of the first assertion. 

The second assertion is proved similarly to the first one. 

The third assertion is checked by a direct calculation. Similar to the proof of Theorem [3] we obtain 

J7i,...,J7t-iA/i,.. 

tj.ela.iy- 1 



t-i 



\i=l / V »=u+l 

t-2 

Since . . . q£ < 0, the number of negative q* (i.e. t — u) is odd. Therefore, IIi=u+i( — -0 = ( — \y- u ~ 2 — 



E (- i r + - +Alt - i ^(/3m,..*- 1 A 

^efo,!}*- 1 



-i^yi,...,^ t _i 



Vt-l+Vt-l \n 1+,lt - 1 ^ Ut - 1 



/t-2 



□ 



\i=l 



Theorem 12. Let g*, . . . , ql_ 1 are positive odd, q% = —4 or q% = —8. 
1. Define 

i 



t-1 



! = 1 

li-ll 



The set {(3 Sli .... St _ 1 : (si, . . . , St-i) G {0, 1}* x } is a TL-basis of the ring of integers in Kq PI . 
H. Define 

T/ie set {/?* s : (si, . . . , St-i) € {0, l} t_1 } is a TL-basis of the 7L-module Ok g H «K. 
5. for any 77, ^ e {0, l} t_1 



E (- i r i+ - + ' it - l v(^x,..., % - 1 ^ 1 ,...,, t _ 1 ) 



Me{o,i} t_1 



0, otherwise. 



Proof. Obviously, here K G = M(y/qf) with M C R. Thus K G nl = M, K G n iR = • M. First two 
assertions follow from Theorem [SJ The last assertion is checked by a direct calculation similar to the one from 
the proof of Theorem [5] □ 

For convenience, we denote ^ = / S /Jl ,... )/it _ 1 for /x G {0, l}*" 1 . Let M denote the field Kq HR. The set {/3 M } 
is a Z-basis of 0^. 

Let z be any element of Ok g ■ Since z G Jfg , also z € iQ; and z + z = 2Reze H R and z — z — 2i Im z G 
-Kg H iR. Moreover, z and z are algebraic integers, so 2 Re z and 2 Im z are algebraic integers too. Thus, 
2Rez = ^^b^fj^ and 2ilmz = XTu^/^u- Hereafter sums with parameter given by a greek letter without an 
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explicit range is assumed to be over {0, 1}* 1 . We want to find the integer numbers 6 M and b'^ by an approximate 
values of these sums. The numbers (3^ form a basis of a real field M.. The basis j3' is pure imaginary and 
becomes a basis of the same field M after dividing e.g. by y^qf £ Kq, ql < 0. Thus, to find an exact expression 
for z by an approximate value, it is sufficient to solve the next task: restore the coefficients of the decomposition 
of a number given by a sufficiently accurate approximation, by a real basis. 
The scheme of next sections is following. 

• Consider a divisor of the polynomial ifo[0, a*] over the field Kg- The degree of this divisor is -^t- 
Section [5] deals with this task. The ultimate goal is to use this divisor instead of the full polynomial, thus 
decreasing the number and the magnitude of coefficients to be calculated. 

• Calculate an apriori upper bound for all conjugates to coefficients of the divisor. This is done in Section 

m 

• The main idea for calculating exact values is to use simultaneous rational approximations to the elements 
of a basis. Section [7] shows how to construct such approximations for (3^ and /3* with any predefined 
precision. The actual precision depends on the bound from Section [5] 

• Finally, Section [3] shows how to calculate exact values by approximations. Also Section [5] sums up all the 
steps used in our optimization. 





5 Divisor of Hp [0, a*](x) 

Let o G Hd- Select a form (A,B,C) such that t)(A, B, C) = a and gcd(A,D) = 1; this is possible because t) 
depends only on the equivalence class of a form and each class contains a form (^4, B, C) with gcd(A, D) = 1 
due to [3 Lemmas 2.25 and 2.3]. Let ip : T-Ld — > {if}' be the map defined by the formula 

ip(a) = 

This definition is correct because the Artin map depends only on an ideal class in J(C, /)/Prt,z(/) and Theorem 
[5] implies that does not change when a form (^4, B, C) is replaced to an equivalent form. 

Theorem 13. The image of the map p is the group {(ei, ...,£*) € {±1} : Ili £ i = ■"•}• ^ e ma P p is a group 
homomorphism. The fixed field £ n ( Ker v) = { x <E L : t(x) = x for all t 6 Q(Kerp)} is K(^/qY, ^/qf)- 

Proof. The assertion 3 of Theorem [5] and the fact that the Artin map is a homomorphism imply that p> is a 
homomorphism. 

Let a be the ideal for the form (A, B, C) defined in Theorem [5] We have 

q*\ _ 1 (L/K\ 



A 



"II 



Multiplying over all i and using Lemma [3J we obtain 

'qf\ fq* t \ _ 1 (L/K 



(Vd). 



Since \[d g K and ( J is an element of Gal(L/K), the right-hand side equals 1. This proves the inclusion 

of image of ip to {(e t ) £ {±1}' : Hi £ i = 1 }- 

Let a lie in the kernel of ip (i.e. (p(o) = (1, . . . , 1)). Let a be the representative of a from the assertion 2 of 
Theorem [S] Then 

( L/K - 

Equivalently, the image of ili(a) under the Artin map acts trivially on all \fq*- Due to the commutativity of 
the diagram (fT2"|) this image equals Q(a). This proves the inclusion K(^/qf, . . . , y/qj) C L n ( Kclip \ 

According to Galois theory, G&l(L n ( Kel ^ / K) - Gal(L/K)/Sl(Kes:(p) = U D /Ket(p Imp. In partic- 
ular, [L a( - KeT ^ : K] = \lmp\ < 2*" 1 . We proved in Section H that [K(y/qf, . . . , yfqf) : Q] = 2', so 
[K (y/qj, . . . , y/<£) : K] = 2*~ x . Thus, the chain of inequalities [K(y/qJ, . . . , ^/qj) : K] < [L n ( Ker <rt ■ K] = 
| lm.(p\ < 2'- 1 is possible only if | bn<p\ = 2 4 " 1 and K{JqJ, Jq$) = L n(Kcl ^. □ 
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We suggest to calculate the polynomial 

H D [e,a*](x)= H (x-e(an)), (16) 

i: ¥ ;(f,(Ai,B i ,C i ))=(l,... ) l) 

which obviously divides Hd[6, a*], instead of the entire polynomial Hrj[0, a*]. Here the function 8 and the N- 
system {(Ai, Bi,Ci)} satisfy the assumption of one of Theorems HHH and on is the root of the form (Ai, Bi, Ci). 

The main obstacle is that Hr>[0,a t ] is not invariant under Gel(L/K) and therefore does not lie in Q[x]. 
Note that ip is a homomorphism. Using the formula ffTOj) . it is easy to see that f2(Ker<^) fixes ffo [0, a*] (x) , 
therefore, this polynomial has coefficients in Kq. All numbers 9(a) are algebraic integers (Theorems HHU), so the 
coefficients of Hd[8, a*] arc also algebraic integers. Therefore, to use the polynomial H]j[8,a*] in the complex 
multiplication method, one must know how to recover an algebraic integer from Kq by its sufficiently accurate 
approximation. Assuming that such a procedure is implemented, the other actions to generate an elliptic curve 
are the same as in the original method. 

An idea to use the genus field in the CM method was already considered in [J] (1993). There the main 
obstacle for an algebraic integer z is solved in the following way. All conjugates of z are calculated. One 
looks for the exact value of z in the form of linear combination of some generators with unknown coefficients. 
Any conjugate of z is a linear combination of conjugates to generators with the same unknown coefficients. 
The known approximations for all conjugates give a system of linear equations for these coefficients, it allows 
to calculate them (approximately and then round to integer). We refer to [4] for the details. Note that this 
solution requires to calculate values 0(ai) for roots of all elements of a iV-system and all conjugate polynomials 
to Hd[8, a*]- Thus the optimization is only in the magnitude of the coefficients. 

Our approach requires to calculate only the polynomial Hd[9, a*] itself (although with a greater precision); 
in particular, it is sufficient to know only values 0(cti) for roots of forms a with <p(f)(o)) = (1, . . . , 1). Theorem 
[T3l obviously implies that the number of these forms is 2' -1 times less than size of the iV-system. 



6 Bound for coefficients of Hjj[9,a^\ 



According to Theorems I9UT21 each coefficient of the polynomial Hd[6,ol*\ can be represented with a formula 
I fe/i + J2fj, ' wnere fyuj b 'n e Z ' Pp G E, p* G iR. We need a bound for all conjugates, 



V A 1 A 1 / 



0- 



Note that the polynomial Hu\j,a*] does not depend on the set a*, so the short notation H]j[j] = HdIj, &*] 
is correct. 

For theoretical bounds we apply the method from pTj . 
Let us consider along with Ho [j] also polynomials 



H 



D, V0 [j]{x) = Yl {x-3{oti)), 

i:<p(UAi,Bi,C t ))=<po 



(17) 



where ipo £ {0, 1}*, (A,, Bi, C,-) runs over representatives of all form classes, oti is the root of (Ai, Bi, Ci). 

By definition, H£,[j] = H D n tl \[j]. Similarly to Hu\j], the polynomial Hi> tVo [j] is in Ok g [x] for each <^o- 
Moreover, if a G Gal(L/Q) is the automorphism corresponding to an ideal class b G Hr>, then HD,<p [j] a = 
H D vQV ^ b yi[j] due to Corollary [TJ Since any automorphism of the field Kg can be extended to an element 



of Gal(L/Q), for each r G Ga\(K G 
G {±1} 4 . 



there exists (p = <po(r) such that H D , vl \j] T = H DjVlV0 ( T )\j] for any 



Theorem 14. The absolute value of each coefficient of the polynomial He> jIPo [j] does not exceed 

In N + 7 + 1 N 
N 



exp [c 5 h + aN [ In N + 4-f In TV + c 6 



< exp (ciAHn 2 N + c 2 N In N + c 3 N + c% In N + c 4 ) =T , 

where N = \J 7 = 0.577... is the Euler constant, ci = y/Eir — 5.441..., ci = 18.587..., C3 
C4 = 11.594..., C5 = 3.011... 7 C6 = 2.566... The asymptotic upper bound 

T =expO (y]I)|ln 2 \D 



17.442. 



holds for other functions 9 too. 
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Proof. We follow [3TJ Section 4]. 

We can assume that (Ai, Bi,Ci) in (II T[) are reduced forms, because a change of a form to an equivalent form 
corresponds to some (Z)-transformation of the form root and the function j is invariant under these. Let 



(A, B, C) be a reduced form; we need an upper bound for 



2A 



The argument of j lies in the area 



{z G H : \z\ > 1, | Rez| < §}. Therefore, Imz>f and \q\ = \e 27Tiz \ < e"*^ . Furthermore, 

^ OO 

j(z) = - + 744 + V 
^ — ^ 



Cm? 



where |c m | < ^ m3/4 due to 22 . Thus, 



2.4 



< 



744+ E 



00 piTT^/m 



fci = 2114.566. 



and 



i '^A 5 ) \-W\ +kl -W\ with fc 2 - 1 + feie""^ = 10.163. 



Assume that all reduced forms are numbered so that {{Ai, Bi, Ci) : 1 < i < deg H o[j]} are all reduced forms 



from the product (JTTJ) ordered by increasing 
HD,ip [j] does not exceed 



e 7r v\ D \/ Ai . The absolute value of the coefficient of x k in 



dog H D [j] 



C 



k 2 



h/2 1 



i=fe+l 



n 



/|23|/A« 



Therefore, the logarithm of any coefficient of Hd,(p [j] does not exceed 

h/2 1 - 1 

A, 



T ln(2A; 2 )+7r^D| E < h ln(2fc 2 ) + £ - 



i=l 



; = 1 



The bound for the last sum proved in [3TJ Theorem 1.2] concludes the proof for j. 

The bound for other functions 9 follows from the proved one and [221 Proposition 3] . 



□ 



In practice it is better to use heuristic, but more accurate bounds. 

The article [22] suggests the following upper bound for logarithms of absolute values of coefficients of the 
polynomial Hd\j]: 



A 

(A,B,C) 

where the sum is over all reduced forms. This bound is heuristic, but sufficiently close to the exact value. The 
same article suggests multiplying this sum by some constant depending on 9 to obtain the analogous bound for 

cleg ■ 

Hd [0] . The constant is the ratio dc 3 ^ , where a polynomial $ in two variables links functions 9 and j so that 
$(d(z)J(z)) = Q. 

Trivial changes of the arguments from [33J with respect to Hp [j] give the heuristic bound 



lnTn 



7rv \D\ max 

ee{±i}* 



E 



(A,B,C):p(t)(A,B,C))=e 



1 

A 



(18) 



for the invariant j. Again, for other invariants this bound should be multiplied by ^ J S . 
Let 



z = ^(Ev^+E«) 



be a coefficient of the polynomial Hu tVo \j], 



bf+jb'^ G 7L. As mentioned above, the action of Gal(Ka/<Q) maps the polynomial Ho iVl \j] to the polynomial of 
the same type. So for any A G {0, 1}* the following inequation holds: 
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7 Construction of rational approximations to a basis of ring of al- 
gebraic integers 

There is a number of different algorithms for constructing simultaneous rational approximations to a given 
set of real numbers. The book |24j covers many of them. Properties of approximations differ significantly for 
different algorithms. For practical purposes the inner product algorithm from [24l Chapter 6A] seems to be 
the best in the general case. Unfortunately, it is quite difficult to prove good theoretical bounds for universal 
algorithms. Therefore we suggest another algorithm which allows to obtain theoretical bounds, but works only 
for very specific sets. 

In essence, the main part of the following theorem is contained in the article [2 5) . Main differences between 
the following theorem and [25] are following: the explicit formulation, including explicit constants; the function 
DJl ( 25 deals with dual basises which is equivalent to 9JI = 1); specialization for our case ([25] does not require 
for M/Q to be Galois and also contains a converse theorem). 



Theorem 15. Let M C K be a field such that M/Q is a Galois extension of degree m. Let W\, . . . , W m and 
W*, . . . , be two basises of M. Let 3JI : Gal(M/Q) — > K be a function (not necessarily a homomorphism) 
such that for each 1 < I, I' < m the following equality holds: 



J2 fm(r)T(WiWt) = 



t£G; 



1, if 1 = 1', 

0, ifl^V. 



Let 



and 



C = \m(r)T(Wi)\ 



rSGal(M/Q) 



a, = 



E 



r£Gal(M/Q) 



9Jt(r) r(Wi) - W, 



Wi 



for i = 2, . . . , m. Let a positive number A and integers A±, . . . , A m satisfy the inequalities 

m 

Y,A i W* = Z>l, 



< 



i=l 

A 

1 

z—i 



for each r £ Gal(M/Q), r ^ Id. 



Then: 



• | Ai| > \m(Id)W!\Z - CA. 

• // | Ai| > CA, then 9Jt(/<i) ^ and the following bound holds for each i = 2, . . . , m: 

A 



Ai_ Wi_ 
Ai Wi 



< d 



i A ■ ( |Ai|-CA 



Proof. For each 1 = 1, 



. m 



A, 



GGal(M/Q) 



Z'=l 



SJl(r)r(Wj) X>r(W?) 

T6Gal(M/Q) \i' = l 

= m{id)WiZ 



Substitute 1 = 1: 



J2 Tt{r)T{Wi)r{Z). (19) 



r£Gal(A//Q) 



A 1 = dJt(Id)W 1 Z + TI(t)t{Wi)t(Z). 



(20) 



r£Gal(M/Q) 
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Using the definition of C and the bound for t(Z), we obtain 



|Ai - m(Id)WiZ\ < 



CA 



< CA. 



This proves the first assertion. 
Assume that |Ai| > CA. Then 

Therefore, Wl(Id) ^ and 



\M{Id)W x \Z > |Ai| - CA. 
|Ai|-CA 



Z > 



\m(id)Wi 



(21) 



Multiply the equality ([20]) by ^ and subtract from (p~9|) . Then use the definition of C and the bound for t(Z): 



A, 



Ai 



A 



Divide the last inequality by |Ai|: 



A*__ W 
Ai Wi 

Now it is sufficient to use ([2"T]) to conclude the proof. 



<Ci- 



z— 

A 



|A!|Zv 



□ 



The article [25] uses a knowledge of group of units in 0* M (Dirichlet theorem) and looks for YliLi ^-iW* as 
a unit of a special form. It allows to prove interesting theoretical results, but it is quite inconvenient from the 
practical point of view. We use another approach. 

We want to construct simultaneous approximations to elements of the field Ai = Kg fl M. In order to do 
this, we apply Theorem [I5J to the field M = Ai. Thus, m = [Ai : Q] = 2* _1 , t > 2, and Gal(M/Q) consists of 
automorphisms t\ defined by (fT5|) . A £ {0, l}'" 1 . 

It is convenient to numerate sets related to the field Ai by vectors from {0, l}* -1 . Hereafter we assume that 
two basises w M and cj* of Ai over Q and a function 9Jt : Gal(A4/Q) — > M are given and satisfy the following 
conditions: 

!• w o,...,o = 1- 

2. Any element of Om is a linear combination of {w*} with integer coefficients. 

3. For any A, A' € {0, l}*" 1 , 



9n(r M )r M K^,) = jj' ! 
^efo,!}*- 1 I ' 1 



1, if A = A', 
if A ^ A'. 



(22) 



We call such a pair an 9ft-pair. It is easy to see that these conditions imply conditions on basises from Theorem 
[15] applied to the numbers 



l+/ii+2/i 2 +2> 3 +---+2 t - 2 Ait-i 



l+/ii+2/i 2 +2 2 M3 + ---+2* 



Note that if x € Omi then x/3q e HiR. Two following corollaries follow easily from Theorems M [T2l 
As in these theorems, the value of \fd is chosen as the product y/qf ■ ■ ■ y/qj- 



Corollary 2. Conditions 1-3 hold for 

w Mi>---,Mt-i 
w pi ,...,/i t -i 

Corollary 3. Conditions 1-3 hold for 



< /9o,...,o ' 



/3 * o ' 

/ 1 \ui+...+itt_i <*t-i (ft".---.ofto,...,o) 



(23) 



,...,/z t _i 

,...,/l t _l 



00,.... o 

/^Ml,--,Mt-l 

- /3o o 

= (_l)/ii+---+M 



(24) 



t _ 1 Vi,..-,n f -i (A 



o.--.oP ,...,oJ 
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Theorem [15] also uses integer numbers Aj and a constant A. The rest of this section deals with construction 
of a set such that the numbers 



Al+ Ml +2p 2 +2 2 ^ 3 + ...+2 t - 2 Ait-l — A.m,...,Ht-l 

satisfy the assumption of Theorem 1151 with some A. 

We need the following quantities to describe the algorithm. Let A € {0, 1}* _1 , A 7^ (0, . . . , 0). Define 

5A = (9D Al ---fe*-i) A *- 1 fe*) A " +lffi - eAt - 1 - 



If 8\ is even, set 



otherwise set 



9\ 



9\ 



2 ' 

1 + A 
2 



Then g x e O m . 

We use continued fractions. We remind that for any number X £ R two sequences are defined: complete 
quotients Xq, X±, X2, ■ ■ ■ and partial quotients do, a\, 02, ■ ■ ■ , where Xq — X , a n — \_X n \ , X n+ \ — x l _ a . These 
sequences are finite (i.e. X n is indefinite for some n) if and only if X G Q. In addition, the sequence of convergents 
<Sl' <7T' ■ • ■ is defmed as follows: P_i = 0,Q_i = 0, P = a ,Q = h p n+x = ^n+i-Pn + P n -x,Qn+X = 
a n +iQ n + Qn-i- It is well known (e.g. Theorems 9 and 12]), that for any n > 

X ~ 7T < 7775 ' if X "+ 2 is denned ; ( 25 ) 

Q„>2^. (26) 

In the case of quadratic irrationals these sequences have an additional structure. We use some results from 
[271 §11.10] collected in the next statement. 

Statement 2. Let a,b,c be integer numbers with gcd(a, 6,c) = 1. Let S — b 2 — ac > be not an exact square. 
We call the roots of the equation ax 2 + 2bx + c = as irrationals of determinant 5. 

Let X — ~ h \^ be an irrational of determinant 5. Then all complete quotients X n are also irrationals of 
determinant 5 and have a form X n = x "y^ , where x ni y n £ Z are uniquely determined. Let a n = [X n \ be 
partial quotients for X . Define = — c = - — — € Z. The following recurrent formulas hold: 



Moreover, for n > 



X n = Un-lOn-i — X n -i, n > 1; 
5 = xi+VnUn-x, n>0] (27) 

Vn = Vn-2 — 0Ln-i(x n - X n -i), U > 1. 



Xi . . . X„ — 



■Pn-l — Qn-xX 

a^-i + 26P n _ 1 Q n _ 1 + cQ 2 ^ = {-l) n y n . (28) 
^4 number with x.y £ Z is reduced if > l and -1 < < 0. ^4 number x +v*> i s reduced if and 

y 1 H J y y y J 

only if < y5 — x < y < \ 5 + x. If X is reduced, then all complete quotients for X are also reduced. 

We calculate continued fractions for all numbers g\ in parallel, A £ {0, l} t_1 , A 7^ 0. Let X\ >n be complete 
quotients for g\, a\^ n be partial quotients for g\. Let P\ iU and Q\. n be numerators and denominators of 
convergents of g\ respectively. Let X\ iTl , y\. n be the quantities x n , y n from Statement [5] calculated for X = g\. 
Let o\ denote the only nontrivial automorphism of the field Q(g\). 

If S\ is odd, then g\ is an irrational of determinant 8, x\.q = 1, yx.o — 2, y\,-i — <?A 2 ~ 1 . It is easy to see from 
(|2"7|) by induction that x\^ n is odd and y\. n is even for all n. Let x' x n = Xx,n 2 ~ X £ Z and y' Xn — e ^- ^he 
quadratic polynomial ax 2 + 2bx + c, where a, 6, c are defined in Statement [2] has the first coefficient 2 and roots 
g\,o-\(g\). Thus, ((211) is equivalent to 2(P\, n -x ~ Q\,n-xg\)o-\(P\, n -x ~ Qx,n-x9\) = (-l) n S/A,n = (-i)" 2 ^,™- 

If <5a is even, then g\ is an irrational of determinant x>.o = 0j2/a,o = 1, J/a.— 1 = Let a;' A n = x\^ n 
and y'\ n = y\, n - The quadratic polynomial as 2 + 26cc + c, where a, &, c are defined in Statement [21 has the first 
coefficient 1 and roots g\,a\(g\). Thus, ([28]) is equivalent to ( p x, n -i ~ Q\,n-xg\)o-\(P\ <n -x - Qx, n -xgx) = 

(-i) n yx, n = (-i) n y'x, n - 
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In both cases 

_gx + x' Xn 

-*-\,n — ; ; 

V\,n 

{P\,n-l - Q\,n-ig\)(T\(P\,n-l - Qx,n-igx) = (— 1)^2/a,„- (29) 

Statement [5] gives an efficient method to calculate numbers x' x n , y' Xn , a-x.n — [X\. n \ in sequence and then 
P\ t n and Qa,«- The algorithm uses numbers x' x n , y' Xn and 

Z\,n = -T? = (-l) n (i\«-i - Qx,n-l9x) & G M . (30) 

-^A,l • • • ^A,n 

This definition and the equality (|29[) imply that for any n > 

ZX t n°\iz\, n ) = {-l) n y'x,n- (31) 

Numbers are taken from the equality 

li((-ir**x(zx,n X ))=J2 A »<- 

A^O M 

The left-hand side is the product of algebraic integers due to ([2U)) , so the condition 2 on 9Jt-pair guarantees that 
are integers. 

Each step of the algorithm increments exactly one of numbers n\. This multiplies Y] A^lo*^ by 

(-l)" +1 g A (zA,n+l) = ^A,n+l/ Z A,»+l = X X , n+1 y' X n+1 = ffA + 3^n+l 
(-l)"f7 A (zA : n) VxJ z X,n y' X ,n V'x,n 

Thus, we need to switch from the set A^ to the set A'^ such that 



ffA + ^A 

yx 



(where x\ — x' x n ^ +i and y\ = y' x n> ). Since {w*} is a Q-basis of M. and g^ ^ M, we can precompute numbers 
c m£>; £ Q such that 



On each step we calculate 

.9a + a^A 



yx yx 



- 2- A « ^ C ^ AW " + 2^ A ^t x * = 1^ <*V 



Now we are ready to show the algorithm. 

Algorithm for construction of simultaneous approximations. Input data: the sets 5\, g\, as 
above, the threshold Nq > 0. Output data: the set of integer numbers A„ such that \Aq ... o| > Nq and -j— 45 — 



is an approximation to ^ - for each \i 6 {0, l} f 1 . 

The algorithm keeps a set of 2* _1 integer numbers A^ and auxiliary sets of non- negative integers x\, positive 
integers (y\, y\) and positive reals (z\, Z\) for A e {0, l} t_1 , A ^ (0, . . . , 0). These sets have the following sense: 
if each vector A was selected n\ times during the step 3 below, then 

•"A = x X,n x ' 

(yx,yx) = {y'x,nx>y'x,nx-i)' 

(z\,Z\) = (zA,n A , 2A,n A -l), 

E^ = ncc- 1 )^^^))- 

M A/0 

The algorithm consists of the following steps. 
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1. Initialization. For each A £ {0, 1}' 1 , A ^ (0, . . . , 0) set 

4>,..,o := 1 

Ax := 

a; A := 

(yx,yx) ■= (1,[%J) 

(z A ,z A ) := (1,5a)- 



2. Iterations. Repeat the following steps while |A),...,o| < No. 

3. Select any A such that z\ = max M7 i(o,...,o) ^m- 

4. Calculate a = 

5. Set (z\, Z\) := (z A - az x , z\). 

6. Save x = X\. Set x\ := ay\ — x\ — 4 {%■}■ Set (y\,y\) ■= (yx — a(x\ — x), yx)- (As shown below, the new 
value of x\ is always a non-negative integer, the new value of y\ is always a positive integer.) 



7. For each \i calculate 



A' 



A^c^x + A^xx 



(As shown above, A' £ Z for all jii.) Set A^ := A' 



Theorem 16. The algorithm completes in 0(ln Nq) steps. The following inequalities hold in every step of the 
algorithm: 

0<xx< \fo\~ gx, 



< yx < v^a; 

z = y,a^;>i, 



TX 



< 



for A 7^ (0, . . . , 0). 



Proof. We start from the bounds for x' x , y' x . 

Lemma 5. Lei A 6 {0, l}* -1 , A 7^ 0. Let n > 1 on integer. Then 



< x'x „ < 



5A, 



< y'x, n < V 7 ^ 
-1 < a x {X x ,n) < 0. 

Proof. Assume first that 6x is odd. By definition, Xx.i = ^~n^H ■ Obviously, Xa,i > 1. In addition, crx(Xx,i) 



i- gA -[ gA j an d 9\ > 1 imply that — 1 < o"a(Xa,i) < 0. Therefore, due to Statement [5] all complete quotients of 
gx starting from Xx.i are reduced irrationals of determinant 8x- That is, < y/6\ — %x,n < Vx.n < VSx + x\, 
for n > 1. Since x\ n — — [ 



- and y' x n = ^f 1 in this case, we obtain the required bounds. 

— r > 1. In addition, <7a(A"a 1) 



^X,n ~ 2 U\,n ~ 2 

Assume now that 5\ is even. As in the first case, X\ 1 



Sa + LsaJ 

and gx > 1 imply that — 1 < ax(X\,i) < 0. Therefore, due to Statement [5] all complete quotients of gx starting 

for n > 1. 
□ 



from Xa,i are reduced irrationals of determinant That is, < -^f^ — xx, n < yx,n < 
Since x' x n = XA. n and y'x n — yx.n in this case, we obtain the required bounds. 



Since Xx 



-"a 



— , Lemma [3] immediately implies 



Corollary 4. For n > 1 



A"a. m < 



(32) 



Let nx denote the number of times when A was selected in the step 3 of the algorithm, A 7^ 0. 
The inequality Z = nA^o((~l)™ Acr ^( z A,n A )) — •"■ follows immediately from the last inequality of Lemma [5] 
and the definition zx. nx - - 



.A" 



A,» A 
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Lemma 6. 

m ax^( ,...,o) Z)i,n, < ypj- 
min^(o,...,o) ^,n„ 

Proof. Before iterations the left-hand side equals 1, so the inequality holds. Assume that the inequality holds 
after some number of iterations. Assume that the step 3 of the next iteration selects the value A, i.e. 

z\.n\ max Zn n . 

^(0,...,0) ^ " 

Let n' A = ii\ + 1 and n 1 ^ = for jj, ^ A, /x 7^ (0, . . . , 0). Obviously, AT>, „^ > 1, so Z\ jU ' < z\ Mx . There are two 
possible cases: 

• Z\,n' x > min^(o,...,o) z m,>v In tnis case 

min = min z^ n 



max ^(o,..,o) < max^ (0i „„o) 3^ < j- 



therefore, 

zw < mil W(o,...,o) V/.- In this case mil W(o,...,o) = zx, n > ; using ([221), we obtain 



'" nX - " " ^ < ^ = A A „ iA + 1 < ^ < yffi. 

™^(0,...,0) ZjU.n^ Z A,n' A 

□ 

We recall that a\ is an automorphism of the field Q(g\) C AL Note that for any A and \i the automorphism 



Tfj, can be restricted to the field Q(g\). Since 



the restriction t^|q( Sa ) acts trivially if X)i=i ^iMi = (mod 2) and coincides with o~\ otherwise. 
Let max^( 0i ) z n,n^ — e - Lemma [5] implies that 



e 

< z\. rtx < e 



\d\ 

for each A ^ (0,...,0). Equalities (|3T)]) . (pTTj) and Lemma [5] imply that 1 < z\ nx \a\(z\^ lx )\ < y/S\ < y/\d\. 
Thus, 

1 , / m \d\ 

£ £ 



By construction, 



Ml 



. £ 

A^O 



e < 

Let A ^ 0. The condition J2l=i ^i^i = (mod 2) as an equation for fi 6 {0, l} t_1 has exactly ^ solutions, 
including zero. 



A" 



n M^.nji- n 



<('M^- , ^_ M »-..<vW 



Z- 
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It remains to show that the algorithm completes in O(lniVo) iterations. A part of theorem which is already 
proved allows to apply Theorem 1151 Thus, the following inequality holds in any step of the algorithm: 



|4),...,o| > \M(Id)Lu _o\Z-C^/\d\ , 



where constants 9Jt(/d)wo,...,o 7^ and Cy' \d\ depend only on basises. 
Now (|3ip implies 



with O, (113 and (EU) this yields 



V\,, 



> 



A^O 



n 

v A/0 



z>\w iiwi - Qx, nx -M 1 > n ^ n 2 ^ = 2 

,A#0 / A^O A^O 



" A^O"A-("'-l) 



The sum Ea^o n ^ ^ s ^ ne n umber of algorithm iterations. Thus, after 0(ln Nq) iterations the following inequality 

is reached: 

N + CJ\dT 



□ 



Z ~ |SDt(/d)wo,..., | 
This implies | j4q, ... ,0 1 > Nq and concludes the proof. 



8 Calculation of an algebraic integer by its approximation 

We want to calculate numbers 6 M £ Z by an approximate value of Eu^m/^" ano - a ^ so numbers £ Z by an 
approximate value of E M 6^/3*. Section [5] gives apriori bounds of the form 



t a f E M Mf* 

-a (E, 6^5 



< T , 

< r , 



where Tq depends only on D. Section [7] gives a set of simultaneous approximations to the numbers 



(33) 



and 



another set for the numbers 



05, 



The precision of these approximations depends on a parameter Nq. 



Approximations constructed in Section [7] satisfy Theorem [TBI which will be used. (One can prove that any 
simultaneous approximations A^ to a basis Wi with a bound of the form x h ' 



At 

A, 



IV, 



< 



satisfy the last 



bound from Theorem[16]with an exponent a instead of m > _ 1 . Thus, actually any sufficiently good approximations 
can be used.) 

We continue to use the basises ui^, w* and the function 9Jt defined in (j2"3")l (for 6 M ) or (IM1) (for 6*). It is easy 
to see that they satisfy the following property additionally to properties 1-3 of StJl-pairs: 



2'. If x £ 0», then uj^x is a linear combination of with integer coefficients. 



For definiteness, we show how to find b^; the method for b'^ is analogous. 

Let X v £ Om be a set of m = 2 t ~ 1 numbers linearly independent over Q. For example, one possible choice 
is X n = flr)] another possible choice is Aq,...^ = 1 and X n = g^ for 77 ^ (0, . . . , 0). The property 2' implies that 



(34) 



with x^ £ Z. (The choice X v = g v is convenient in that x^ v are the same as c^ v with transposed fi^ and 
j3*. The choice A,, = (3 V results in numbers x^ which are slightly less in the absolute value.) 

Assume that the precision e is selected. We know the value of the sum E^ with the precision e; in other 

words, we know a number 7 such that E^ fyjA; ~ 7 < £ - Divide this inequality by /?o,....o and multiply by X, q . 



A),...,o 



< 



4ggj 

|/3o 0] 



w m 



A),...,o 



< 



(35) 



2G 



Let B m = X)f b^x^,] £ Z. For any p! we have from (|22l) that 

M A A \ (U / 



ai' a y / \ p / 



(36) 



The term with A = is special. In this case ([33)) gives an approximate value of the last factor with a bound for 
approximation error. Now consider A 7^ 0. Theorem 1161 gives a bound for the second factor. 



(e s w^J 



with (1331) this implies that 



r A I / , J-'/irj^v/i 

Therefore, (|3"6")l . (l3"5j) and Theorem [TBI imply that 



E^p 



<T \r x {X v )\. 



J2 A n' B n'v~M{Id)Z 



A),...,o 



^1 TF^T + E l^(TA)|^^T |r A (^) 
a^o Zm ~ 1 



|A),..,o| 



(37) 



where Z = ^ as above. 

The second term is a ratio of some constant to Z™- 1 . Since Ao,...,o = Ai, the inequality (|2~T1) shows that the 
threshold Nq can be selected such that the bound 



Z> [Aj2\ m ( T ^( X v)\V\d\ m To 

A^O 



(38) 



holds, and then the second term in the right-hand side of (|3"T)) is less than j. 

Assume that such a threshold No is selected. Calculate simultaneous approximations A^, then compute Z. 
Select e so that for each 77 the inequality 

1 IA>,-,ol f39 N 

4|0Jl(7d)X,|Z" 1 J 

holds. Then the first term in the right-hand side of (|3"T|) is also less than \. Thus, the left-hand side of (|3"T)) is 
less than |. Since ^ , A^B^^ £ Z, we can recover the exact value of this sum by rounding DJl(Id)Z 
an integer. 

Now we obtain a system of linear equations for 65 with the left-hand side 



00 



to 



e^=e(e^ 



(40) 



Lemma 7. The matrix (^2^ A^x^j is nonsingular. 

Proof. Assume that this matrix is singular. Equivalently, there exist numbers i/,£Q such that not all of them 
are zero and 

EE^ x ^" = - ( 41 ) 

Fix some r\. Consider the following square matrices: 



t<2 



and diagonal matrices M3 with elements 2T(t m ) and M4 with elements r M (A^). The equality ((22)) can be 
interpreted as matrix equality Ml M3M2 — E, where E is the identity matrix. In particular, Mi, M% and Af3 
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are invertible. The set of all equalities obtained from under the action of all r p , can be interpreted as 
matrix equality M4M1 = M X X. Thus X = M 1 " 1 M 4 Mi, X T = Mf M^Mf) -1 = Mf 1 M^ 1 M 4 M 3 M 2 . Since 
any two diagonal matrices commute, M4M3 = M3M4, so M2X T = M4M2. Comparing the element in the line 
1 and the column fi, we obtain 

S 

Now let 77 vary. Multiply (HI"]) by cj| and sum over all £ G {0, l}* -1 : 

But the first factor is nonzero because A^ are linearly independent over Q and not all of y v G Q are zero. The 
second factor is nonzero due to Theorem 1161 The contradiction proves the lemma. □ 

So it is sufficient to solve a linear system m x m with nonsingular matrix to find {b^}. For example, one 
can use the standard Gaussian elimination. 

Finally, we give an overall scheme for our optimization of the CM method. 

1. Select numbers q — p n , u,v,D E Z as in the stage 1 of the basic algorithm from Subsection 12.21 The 
future curve will be defined over F 9 and have the order q + 1 — u. 

2. Enumerate all reduced forms. Calculate To from (fl"8"|) . Nq from (l38|) . using (|2f I) . Apply the algorithm 
from Section [7J 

3. Calculate the required precision e from (|3"9")l . Calculate the polynomial Hd[]\ by the definition p^|) 
approximately with the precision e. 

4. For each coefficient of the polynomial calculate the decomposition of doubled real part as a Z-linear 
combination of /3 M . In order to do this, obtain a system of linear equations with the left-hand side (|4"0)) 
using p7[) and solve this system. Similarly calculate the decomposition of doubled imaginary part as a 
Z-linear combination of /?*. (If the coefficient is known to be real, the stage for imaginary part is not 
necessary and one can avoid doubling the real part.) 

5. Reduce the polynomial modulo any prime ideal of Ok g lying above p, obtain a polynomial over ¥ q . 
Calculate any root in ¥ q (there always is one). Construct an elliptic curve E" over F 9 with j-invariant 
equal to the found root. 

6. If the order E" is not the same as required, apply an isomorphism from Subsection 12.21 (quadratic twist 
if D < -4). 

As in the original method, one can use another functions 9 (described in Subsection 12. 3[) instead of j. This 
requires correcting the bound T as described in Section [51 using Hd[9,u*] instead of Ho[j], and calculating 
j-invariant by the found value of as described in Subsection 12.31 
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